Add Knot to the container

2 files changed, 108 insertions, 14 deletions

diff --git a/container.scm b/container.scm
index a2f3cb6..ea5083b 100644
--- a/container.scm
+++ b/container.scm
@@ -35,7 +35,8 @@
 (use-service-modules web
                      shepherd
                      certbot
-                     mail)
+                     mail
+                     dns)
 
 (define %here
   (getcwd))
@@ -609,6 +610,89 @@ exim_path = /run/setuid-programs/exim
                                     "/etc/dovecot/users")))))
             (mail-location "maildir:~/Maildir"))))
 
+(define %1984-freedns-nameservers
+  '(("ns0.1984.is"         "45.76.37.222")
+    ("ns1.1984.is"         "194.58.192.36")
+    ("ns2.1984.is"         "45.32.180.186" "93.95.226.52")
+    ("ns1.1984hosting.com" "185.42.137.114")
+    ("ns2.1984hosting.com" "93.95.226.53")))
+
+(define (make-zone-entries domain)
+  (define-zone-entries entries-sans-ns
+    ;; domain->IP assignments
+    ("@"    "" "IN" "A"     "93.95.227.159")
+    ("@"    "" "IN" "AAAA"  "fe80::5054:5dff:fe5f:e39f")
+    ("*"    "" "IN" "CNAME" "@")
+    ;; mail
+    ("@"      "" "IN" "MX 10" "koszko.org.")
+    ;; dmarc
+    ("@"      "" "IN" "TXT"   "\"v=spf1 ip4:93.95.227.159 -all\"")
+    ("_dmarc" "" "IN" "TXT"   "\"v=DMARC1;p=reject;rua=mailto:dmarc@koszko.org;ruf=mailto:dmarc@koszko.org;rf=afrf;pct=100\"")
+    ("mail._domainkey" "" "IN" "TXT" "(
+ \"k=rsa;t=s;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx0kXNRIL\"
+ \"VRDaU1iPdUu2FwX+pRbNS4DwojiOYznESt1npY8LzYV3MBKf2XXOSl+6Ui8Jy91V\"
+ \"KzoUqwN9Rh6vdsLYPaMMtPUe/gN1AOqyF4qYqz499VZqRLmoPyq4EV5eRSqbDeDb\"
+ \"eDOaoJ0+ZJHG6qg2eAz1v2U++lsSRTOkXe3xZFxrHRrvXg5JVl5DNGRKBjotwW8O\"
+ \"EMhwUa2LbmJA/EbbCWhXfmaIEwqP2LRUF2HqFMSr4IHHopcTKQwpSwbsOGYG8MV1\"
+ \"c5HelO+OROpuUNPE8YoKVHKwfWdwgStrrkSYK+H5JQvJgFvyfsyePfXfqszde+4B\"
+ \"EC34ScPW86HKmw4JltFpBCiBThYdD0fu8g5mQzdtwNUbCcPkuUDrUTA4TE44ScHO\"
+ \"VYDX0QWaUubrsf5F1+bwyTKuzbUHXnbXw7r7JLC2P4CjtsS4MLYjrfeQ3TIEdj+s\"
+ \"WtWVItIVQnFRuSTFmHKqnWNDSjmTeH5m8FWPQeDjXRj2e1f5vCrfIvyXTzWvOeIw\"
+ \"DU2QfyUPUKaL9hvNvX9S3G45qM/CH5UTRc2BC0dFZHBNR/uLTGMYaatfw2QAxQzs\"
+ \"cmw34IgwLGswxFj3iaDwc8d3Uh+JamFBf+GUrwjRs/sVRRiXrB+qKwlxckzWHVbV\"
+ \"oABCxjKDmvE86L3kCQ+MobG0BOtFBR4BqU8CAwEAAQ==\"
+)")
+    ((string-append domain "._report._dmarc") "" "IN" "TXT" "\"v=DMARC1\""))
+
+  (append (list (zone-entry (type "NS")
+                           (data "vps-93-95-227-159.1984.is.")))
+          (map (match-lambda ((ns rest ...)
+                              (zone-entry (type "NS")
+                                          (data (string-append ns ".")))))
+               %1984-freedns-nameservers)
+          entries-sans-ns))
+
+(define %koszko-org-zone-configuration
+  (knot-zone-configuration
+   (domain "koszko.org")
+   (zone (zone-file
+          (origin "koszko.org")
+          (entries (make-zone-entries "koszko.org"))
+          (ns "vps-93-95-227-159.1984.is.")
+          (mail "koszko")
+          (serial 2023090200)))
+   (acl '("allow-axfr-from-1984"))
+   (semantic-checks? #t)
+   (notify (map car %1984-freedns-nameservers))))
+
+(define %koszkonutek-tmp.pl.eu.org-zone-configuration
+  (knot-zone-configuration
+   (domain "koszkonutek-tmp.pl.eu.org")
+   (zone (zone-file
+          (origin "koszkonutek-tmp.pl.eu.org")
+          (entries (make-zone-entries "koszkonutek-tmp.pl.eu.org"))
+          (ns "vps-93-95-227-159.1984.is.")
+          (mail "wk")
+          (serial 2023090200)))
+   (acl '("allow-axfr-from-1984"))
+   (semantic-checks? #t)
+   (notify (map car %1984-freedns-nameservers))))
+
+(define %koszko-knot-service
+  (service knot-service-type
+           (knot-configuration
+            (acls (list (knot-acl-configuration
+                         (id "allow-axfr-from-1984")
+                         (address (append-map cdr %1984-freedns-nameservers))
+                         (action '(transfer)))))
+            (remotes (map (match-lambda ((ns addresses ...)
+                                         (knot-remote-configuration
+                                          (id ns)
+                                          (address addresses))))
+                          %1984-freedns-nameservers))
+            (zones (list %koszko-org-zone-configuration
+                         %koszkonutek-tmp.pl.eu.org-zone-configuration)))))
+
 (operating-system
   (host-name "koszko")
   (timezone "Europe/Warsaw")
@@ -736,4 +820,5 @@ exim_path = /run/setuid-programs/exim
           %koszko-exim-service
           %koszko-mail-aliases-service
           %koszko-dovecot-service
+          %koszko-knot-service
           %base-services)))
diff --git a/guix-container.sh b/guix-container.sh
index 2a96b71..5d2983b 100755
--- a/guix-container.sh
+++ b/guix-container.sh
@@ -81,7 +81,11 @@ done
 GUILE_PID=
 SUCCESS=
 QUIET_EXIT=
-FORWARDED_PORTLISTS="25,12525,465,587 993"
+FORWARDED_PORTLISTS="tcp:25,12525,465,587 tcp:993 udp:53 tcp:53"
+
+colon_sep_field() {
+    printf '%s\n' "$1" | awk -F : "{print \$$2}"
+}
 
 is_running() {
     test -e "$PIDFILE" && test -n "$(ps -o pid= --pid $(cat "$PIDFILE"))"
@@ -120,17 +124,18 @@ network_setup() {
         iptables -t nat -A POSTROUTING \
                  -s 10.207.87.1/24 -o "$LINKNAME" -j MASQUERADE
         for PORTLIST in $FORWARDED_PORTLISTS; do
-            iptables -t nat -A PREROUTING                 \
-                     -i "$LINKNAME" -p tcp                \
-                     -m multiport --dports "$PORTLIST"    \
+            iptables -t nat -A PREROUTING                                     \
+                     -i "$LINKNAME" -p "$(colon_sep_field "$PORTLIST" 1)"     \
+                     -m multiport --dports "$(colon_sep_field "$PORTLIST" 2)" \
                      -j DNAT --to-destination 10.207.87.2
         done
     done
 
     for PORTLIST in $FORWARDED_PORTLISTS; do
-        iptables -t nat -A OUTPUT                              \
-                 -d "$(resolve_ipv4_domain koszko.org)" -p tcp \
-                 -m multiport --dports "$PORTLIST"             \
+        iptables -t nat -A OUTPUT                                         \
+                 -d "$(resolve_ipv4_domain koszko.org)"                   \
+                 -p "$(colon_sep_field "$PORTLIST" 1)"                    \
+                 -m multiport --dports "$(colon_sep_field "$PORTLIST" 2)" \
                  -j DNAT --to-destination 10.207.87.2
     done
 
@@ -160,9 +165,11 @@ network_rip() {
 
     for LINKNAME in $(ip route | grep default | awk '{print $5}'); do
         for PORTLIST in $FORWARDED_PORTLISTS; do
-            iptables_rip_rule -t nat -D PREROUTING                 \
-                              -i "$LINKNAME" -p tcp                \
-                              -m multiport --dports "$PORTLIST"    \
+            iptables_rip_rule -t nat -D PREROUTING                        \
+                              -i "$LINKNAME"                              \
+                              -p "$(colon_sep_field "$PORTLIST" 1)"       \
+                              -m multiport                                \
+                              --dports "$(colon_sep_field "$PORTLIST" 2)" \
                               -j DNAT --to-destination 10.207.87.2
         done
         iptables_rip_rule -t nat -D POSTROUTING            \
@@ -171,9 +178,11 @@ network_rip() {
     done
 
     for PORTLIST in $FORWARDED_PORTLISTS; do
-        iptables_rip_rule -t nat -D OUTPUT                              \
-                          -d "$(resolve_ipv4_domain koszko.org)" -p tcp \
-                          -m multiport --dports "$PORTLIST"             \
+        iptables_rip_rule -t nat -D OUTPUT                            \
+                          -d "$(resolve_ipv4_domain koszko.org)"      \
+                          -p "$(colon_sep_field "$PORTLIST" 1)"       \
+                          -m multiport                                \
+                          --dports "$(colon_sep_field "$PORTLIST" 2)" \
                           -j DNAT --to-destination 10.207.87.2
     done
 }